[Bug 1827442] Re: [MIR] libheif

[Dirk Farin]

Note that libheif packaging has changed in version 1.16.2-2.
Codecs are now split out into separate plugin packages.

We now have:
- libheif1           - main library
- libheif-examples   - command line tools
- libheif-dev
- heif-gdk-pixbuf
- heif-thumbnailer

and the codecs:
- libheif-plugin-aomdec  - AVIF decoder (based on libaom)
- libheif-plugin-aomenc  - AVIF encoder (based on libaom)
- libheif-plugin-dav1d   - alternative AVIF decoder (based on dav1d)
- libheif-plugin-rav1e   - alternative AVIF encoder (based on rav1e)
- libheif-plugin-svtenc  - alternative AVIF encoder (based on svt-av1)

- libheif-plugin-libde265  - HEIC decoder (based on libde265)
- libheif-plugin-x265      - HEIC encoder (based on x265)

In the next release, there will also be support for "kvazaar" as an
alternative HEIC encoder (instead of x265).

In order to be useful to the user:
- for AVIF support, the two codec packages based on libaom work best for me and are well maintained.
- for HEIC decoding support, the libde265 plugin package is required.

As x265 is NACKd, one could leave this out (no encoding support for
HEIC) and replace this with 'kvazaar' in the future.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to libheif in Ubuntu.
https://bugs.launchpad.net/bugs/1827442

Title:
  [MIR] libheif

Status in aom package in Ubuntu:
  Invalid
Status in dav1d package in Ubuntu:
  Invalid
Status in libde265 package in Ubuntu:
  Invalid
Status in libheif package in Ubuntu:
  In Progress
Status in x265 package in Ubuntu:
  Invalid

Bug description:
  [Availablity]

  The package libheif is already in ubuntu/universe.
  The package libheif build for the architectures it is designed to work on.
  It currently builds and works for architectures:
  amd64 arm64 armhf i386 ppc64el riscv64 s390x
  Link to package:  https://launchpad.net/ubuntu/+source/libheif

  [Rationale]

  - The package libheif is required in Ubuntu main for decoding
    ISO/IEC 23008-12:2017 HEIF files by libgd2 which is present in main.
  - The package libheif will not generally be useful for a large part of our user
    base, but is important/helpful still because no other package in main supports
    decoding of ISO/IEC 23008-12:2017 HEIF files.
  - The package libheif is a runtime dependency of package libgd2 that we already
    support.
  - It would be great and useful to community/processes to have the  package
    libheif in Ubuntu main, but there is no definitive deadline.

  [Security]

  - libheif had 4 security issues in the past:
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-23109
      The github issue: https://github.com/strukturag/libheif/issues/207 is open,
      though developer comments that it was fixed in 1.7.0
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19499
      Fixed in 1.5.0
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-19498
      Fixed in 1.5.0.
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11471
      Fixed in 1.5.0.
    The vulnerable versions are libheif < 1.7.0, current version 1.14.2
    Currently vulnerable packages (CVE-2020-23109) are deployed in focal and
    bionic. Jammy and up has no known vulnerabilitites.
  - no `suid` or `sgid` binaries
  - no executables in `/sbin` and `/usr/sbin`
  - Package does not install services, timers or recurring jobs
  - Packages does not open privileged ports (ports < 1024)
  - Packages does contain extensions to security-sensitive software:
    the package provides HEIF image plugin which processes untrusted input

  [Quality assurance – function/usage]

  - The package does not work well right after install. There is a bug filed in
    debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029668
    1.14.2 contains significant regression, HEIC can not be read using viewnoir.
  - Basic test cases pass:
      apt install imagemagick
      wget https://filesamples.com/samples/image/heif/sample1.heif
      convert -verbose sample1.heif test.gif
      wget https://filesamples.com/samples/image/heic/sample1.heic
      convert -verbose sample1.heic test1.gif
    Notice, that libgd2 HEIF support is disabled.
  - Compiling a sample that tries to save HEIF file produces following output
    "GD Warning: HEIF image support has been disabled"

  [Quality assurance - maintenance]

  - The package is maintained well in Debian/Ubuntu and has no bugs open
     - Ubuntu https://bugs.launchpad.net/ubuntu/+source/libheif/+bug
     - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libheif
  - The package has important open bugs, listing them:
    - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014125
      Confirm CVE-2020-23109 fix
    - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029668
      1.14.2 contains significant regression, HEIC can not be read using
      viewnoir package [confirmed in lunar].
      Downgrading to 1.13.0-1 solves the issue.
  - The package does not deal with exotic hardware we cannot support

  [Quality assurance – testing]

  - The package does not run a test at build time because no unit tests are
    present in the repository upstream:
    https://launchpadlibrarian.net/646769183/buildlog_ubuntu-lunar-amd64.libheif_1.14.2-1_BUILDING.txt.gz
    https://github.com/strukturag/libheif
  - The package does not run an autopkgtest because no autopackage tests are
    present.
    Note: upstream contains a CI script that can be adapted for autopkgtests:
    https://github.com/strukturag/libheif/blob/master/scripts/run-ci.sh

  This section is not complete, as the test plan/approach for developing
  autopkgtests needs to be discussed.
  TODO: - The package can not be tested at build or autopktest time because TBD
  TODO:   to make up for that here TBD is a test plan/automation and example
  TODO:   test TBD (logs/scripts)

  [Quality assurance - packaging]

  - debian/watch is present and works BUT also get-orig-head target is present
    in debian/rules that produces a different result.
    There is no specific documentation on which method to use.
  - debian/control defines a correct Maintainer field
  - This package does not yield massive lintian Warnings, Errors
    https://udd.debian.org/lintian/?packages=libheif
  - Please link to a recent build log of the package
    https://launchpadlibrarian.net/646769183/buildlog_ubuntu-lunar-amd64.libheif_1.14.2-1_BUILDING.txt.gz
  - Please attach the full output you have got from `lintian --pedantic` as an
    extra post to this bug.
  - Lintian overrides are not present
  - This package relies on obsolete or about to be demoted packages
    see https://udd.debian.org/lintian/?packages=libheif, consider using
    libgdk-pixbuf-2.0-dev instead of transitional libgdk-pixbuf2.0-dev
  - This package has no python2 or GTK2 dependencies
  - The package will not be installed by default
  - Packaging and build is easy, link to d/rules:
    https://salsa.debian.org/multimedia-team/libheif/-/blob/master/debian/rules

  [UI standards]

  - Application is not end-user facing (does not need translation)
  - End-user applications without desktop file, not needed because application
    does not provide GUI

  [Dependencies]

  - There are further dependencies that are not yet in main, MIR for them
    is at:
    - aom: LP: #2004442
    - dav1d: LP: #2004446
    - libde265: LP: #2004449
    - x265: LP: #2004453

  [Standards compliance]

   - This package correctly follows FHS and Debian Policy

  [Maintenance/Owner]

  - Owning Team will be Foundations team
  - Team is already subscribed to the package
  - This does not use static builds
  - This does not use vendored code
  - This package is not rust based

  [Background information]

  The Package description explains the package well
  Upstream Name is libheif
  Link to upstream project https://github.com/strukturag/libheif/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/aom/+bug/1827442/+subscriptions